Slashdot Mirror

← Back to Stories (view on slashdot.org)

Is Battery-Free 2-Factor ID Secure?

Posted by timothy on from the go-ahead-do-your-worst dept.

An anonymous reader writes "There was a television program in Australia last week about Matthew Walker's visual battery-less two-factor authentication system called PassWindow. Essentially, you hold the clear plastic window up to the apparently random pattern on the screen of your computer, revealing a one-time PIN to type in for authentication. The plastic window has many advantages: difficult to copy or view over the shoulder, etc. Because there is no electronics, chip or battery, the PassWindow is extremely cheap to manufacture, giving it a big advantage over other two-factor authentication systems. However, I don't know about the security of the system. The apparently random pattern of lines in the PassWindow is analogous to a one-time pad, using a different subset of the one-time pad every time a PIN is needed. Is this a useful level of security for logging in to a bank account?"

3 of 180 comments (clear)

  1. Prior Art by Richard+W.M.+Jones · · Score: 5, Insightful

    Lenslok, hated by 8-bit gamers everywhere.

    --
    libguestfs - tools for accessing and modifying virtual machine disk images
  2. One major problem: monitor resolution by Saint+Fnordius · · Score: 4, Insightful

    A lot of these sorts of schemes assume some sort of fixed pixel size such as 96 dpi, a fantasy that hasn't been true since, well, ages. Some LED screens have up to 150 dpi resolution, others as low as 72dpi. If the scale is wrong, then the pixels won't line up and the decoder is then useless.

    Now, I admit it's possible that the creator of this scheme might have solved this, but I doubt it. A colour filter like those games whose clues are read through a red plastic foil viewer would be far too easy to crack, for example.

    I can't escape the impression that this is just security theatre and not serious security after all.

  3. Chaum-like by goombah99 · · Score: 4, Insightful

    This is sort of like one of Chaum's voting system reciepts. those are provably secure for single use.

    however having watched the video, it's obvious this one is weakly secure for a single use and rapidly insecure for multiple uses.

    given a series of challenges one should be able to apply a process of elimination to determine the missing elements.

    the alternative would seem to be to choose the challenge from a restricted pallet of challenges that assures some ambiguity. in this case intercepting a bunch of challenges will simply reduce the number of possible choices.

    for example, if the ambiguity could be maintained at 3 choices per digit then 7 digits provides 2187 possiblilites.

    that's actually not hideous. it's comparable to a bicycle lock. thus the key to making that low number useful is to prevent someone from rapidly trying the challenges exhaustively.

    e.g. if you are only allowed 2 challenges per 30 minutes, or more deviously, if the challenger denies access with say 10% probability even when you type in the right pass code.

    this will make such 2- factor while not government grade probably not worth the attackers time.

    --
    Some drink at the fountain of knowledge. Others just gargle.